AWS Transfer for SFTP
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Rotating SSH Keys

We recommend the best practice for security of rotating your SSH keys. Usually, this rotation is specified as a part of a security policy, and implemented in some automated fashion. Depending upon the level of security, for a highly sensitive communication an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys. However, it is much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on SFTP users. A time interval of three months is common.

There are two methods used to perform SSH key rotation:

  • For a single user, the SSH public key can be deleted in the console and a new SSH public key can be uploaded.

  • For multiple users, you can update existing users using the UpdateUsers API command and a JSON data file.

To perform a key rotation for a single existing user

  1. On the Servers page, choose the server that has the user whose SSH public key that you want to replace.

    That user's page opens, as show following.

  2. Choose the SSH public key (Fingerprint) that you want to rotate, and then choose Delete.

  3. Confirm the deletion operation by entering the word delete for Confirm Deletion, and then choose Delete as shown following.

  4. Choose Add SSH public key to see the Add key screen, shown following.

    You return to the User configuration screen, and the new SSH public key that you just uploaded appears in the SSH public keys section.

To perform SSH public key rotation for multiple users, prepare the appropriate JSON data file and issue the UpdateUser API command.